4 Shocking Security Vulnerabilities in Leading Point of Sale Systems

It was just announced MICROS Point of Sale systems around the country were believed to have been hacked by a Russian cyber-gang. It is unbelievable this type of attack is still possible given our security-conscious world.

Banner Health recently announced that a hack performed through their POS system let 3.7MM patient records leave the building. Hackers wanting to extract sensitive data could have gotten it in easier ways. Here are some glaring security holes at our country’s largest point of sale manufacturers.

Little-to-no database security

One of the leading point of sale manufacturers in the United States doesn’t use any security for storing sensitive information. They rely on Windows security and trust the person accessing the file system is authorized. This means anyone with the file on their computer can open and read it without entering a username or password.

Another leading manufacturer has their database credentials published publicly allowing anyone with a free SQL tool to have the keys to the kingdom.

No credit card encryption

Almost every POS system you come across at bars and restaurants uses a magnetic stripe reader connected to the computer as a keyboard. In most cases the data within the stripe on the credit card information is sent from the reader to the point of sale terminal in clear text making it highly vulnerable to data acquisition thieves.

No data-level encryption

When a secured database data is used to store data, it is often stored in clear text. This means sensitive data is sitting there, waiting to be exposed by the first nefarious query.

Unsecured APIs

Many modern POS systems use application programming interfaces (APIs) to provide options for external applications to integrate. Data sent back and forth across the network isn’t encrypted and can be read by anyone with a simple network sniffer. This includes credit card information for payments.

We can do better

America’s point of sale manufacturers can do better. There are countless more ways in which they can secure the sensitive data of our daily lives.

About the Author

Richard Bagdonas is a data integration expert with over 15 years of experience integrating with point of sale, electronic health record, customer relationship management, and warehouse management systems. He has integrated software with 15 of the leading POS manufacturers in the United States. Richard is currently Chief Healthcare Architect at MI7 where he oversees the company’s integration with electronic health record systems.

If you liked the story please consider recommending it by clicking the heart icon below. You can also follow me on Twitter at @richardbagdonas.